Merge pull request #3162 from frack113/registry_event

Add missing EventType
2022-06-26 20:33:41 +02:00
parent d78818e27d 281a7c8149
commit bc316855f6
20 changed files with 42 additions and 19 deletions
@@ -7,12 +7,13 @@ references:
  - https://attack.mitre.org/techniques/T1037/
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md
 date: 2019/01/12
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  category: registry_add
  product: windows
 detection:
  selection:
+    EventType: CreateKey
    TargetObject|contains: 'UserInitMprLogonScript'
  condition: selection
 falsepositives:
@@ -13,16 +13,17 @@ references:
    - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
 date: 2021/10/07
-modified: 2022/03/26
+modified: 2022/06/26
 author: Christopher Peacock
 level: high
 logsource:
    product: windows
    category: registry_add
 detection:
-    selection1:
+    selection:
+        EventType: CreateKey
        TargetObject|contains: '\software\NetWire'
-    condition: selection1
+    condition: selection
 falsepositives:
    - Unknown
 tags:
@@ -7,12 +7,13 @@ references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
 author: megan201296
 date: 2019/02/13
-modified: 2021/03/26
+modified: 2021/06/26
 logsource:
    product: windows
    category: registry_add
 detection:
    selection:
+        EventType: CreateKey
        TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\'
    filter:
        TargetObject|contains:
@@ -5,13 +5,14 @@ description: Detects the usage of Sysinternals Tools due to accepteula key being
 references:
    - https://twitter.com/Moti_B/status/1008587936735035392
 date: 2017/08/28
-modified: 2022/03/26
+modified: 2022/06/26
 author: Markus Neis
 logsource:
    product: windows
    category: registry_add
 detection:
    selection:
+        EventType: CreateKey
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
 falsepositives:
@@ -3,7 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014
 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
 status: experimental
 date: 2020/05/02
-modified: 2022/03/26
+modified: 2022/06/26
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/9
@@ -13,6 +13,7 @@ logsource:
    category: registry_add
 detection:
    selection:
+        EventType: CreateKey
        TargetObject|contains: '\Software\Sysinternals\SDelete'
    condition: selection
 falsepositives:
@@ -3,7 +3,7 @@ id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
 description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
 author: frack113
 date: 2022/04/04
-modified: 2022/04/29
+modified: 2022/06/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
@@ -13,6 +13,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: Setvalue
        TargetObject|startswith:
            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\'
            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\'
@@ -7,12 +7,13 @@ references:
  - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
  - https://www.exploit-db.com/exploits/47696
 date: 2020/09/27
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  category: registry_set
  product: windows
 detection:
  selection:
+    EventType: Setvalue
    TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
  condition: selection
 falsepositives:
@@ -8,12 +8,13 @@ references:
  - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
  - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
 date: 2017/05/15
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  category: registry_set
  product: windows
 detection:
  selection:
+    EventType: Setvalue
    TargetObject|endswith:
      - '\Services\DHCPServer\Parameters\CalloutDlls'
      - '\Services\DHCPServer\Parameters\CalloutEnabled'
@@ -3,6 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83
 description: Detects the modification of the registry to disable a system restore on the computer
 author: frack113
 date: 2022/04/04
+modified: 2022/06/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
@@ -11,6 +12,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: Setvalue
        TargetObject|startswith:
            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
            - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
@@ -8,12 +8,13 @@ references:
  - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
  - https://www.sans.org/cyber-security-summit/archives
 date: 2020/09/10
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  category: registry_set
  product: windows
 detection:
  selection:
+    EventType: Setvalue
    TargetObject|endswith:
      - '\COR_ENABLE_PROFILING'
      - '\COR_PROFILER'
@@ -3,6 +3,7 @@ id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
 description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.
 author: frack113
 date: 2022/04/02
+modified: 2022/06/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
@@ -11,6 +12,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: Setvalue
        TargetObject: 
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
@@ -3,6 +3,7 @@ id: d223b46b-5621-4037-88fe-fda32eead684
 description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
 author: frack113
 date: 2022/04/04
+modified: 2022/06/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
@@ -12,6 +13,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: Setvalue
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
@@ -4,7 +4,7 @@ related:
    - id: c3198a27-23a0-4c2c-af19-e5328d49680e
      type: derived
 date: 2020/05/14
-modified: 2022/03/26
+modified: 2022/06/26
 status: experimental
 description: Attempts to detect system changes made by Blue Mockingbird
 references:
@@ -15,6 +15,7 @@ logsource:
  category: registry_set
 detection:
  selection:
+    EventType: Setvalue
    TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
  condition: selection
 falsepositives:
@@ -7,12 +7,13 @@ references:
  - https://github.com/OTRF/detection-hackathon-apt29/issues/1
  - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
 date: 2020/05/02
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  product: windows
  category: registry_set
 detection:
  selection:
+    EventType: Setvalue
    TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
  condition: selection
 falsepositives:
@@ -4,7 +4,7 @@ status: experimental
 description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
-modified: 2022/03/26
+modified: 2022/06/26
 references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
@@ -14,6 +14,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: Setvalue
        TargetObject|endswith:
            - '\Security\Trusted Documents\TrustRecords'
            - '\Security\AccessVBOM'
@@ -6,17 +6,17 @@ references:
  - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
 author: Tobias Michalski
 date: 2021/06/10
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  product: windows
  category: registry_set
 detection:
  selection1:
+    EventType: SetValue 
    TargetObject|contains: 
      - 'Software\Microsoft\Office\'
      - '\Outlook\Today\'
  selectionStamp:
-    EventType: SetValue 
    TargetObject|endswith: Stamp
    Details: DWORD (0x00000001) 
  selectionUserDefined:
@@ -7,12 +7,13 @@ references:
  - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
 author: Tobias Michalski
 date: 2021/06/09
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  product: windows
  category: registry_set
 detection:
  selection_1:
+    EventType: SetValue 
    TargetObject|contains: 
      - '\Software\Microsoft\Office\'
      - '\Outlook\WebView\'
@@ -3,6 +3,7 @@ id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
 description: Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging
 author: frack113
 date: 2022/04/02
+modified: 2022/06/26
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
@@ -11,6 +12,7 @@ logsource:
    product: windows
 detection:
    selection:
+        EventType: SetValue 
        TargetObject|endswith: 
            - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging
            - SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
@@ -9,12 +9,13 @@ references:
  - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03
  - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/
 date: 2019/04/03
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
  category: registry_set
  product: windows
 detection:
  selection_reg:
+    EventType: SetValue 
    TargetObject|contains:
      - '\services\TermService\Parameters\ServiceDll'
      - '\Control\Terminal Server\fSingleSessionPerUser'
@@ -7,12 +7,13 @@ references:
    - https://github.com/hfiref0x/UACME
 author: Omer Yampel, Christian Burkard
 date: 2017/03/17
-modified: 2022/03/26
+modified: 2022/06/26
 logsource:
    category: registry_set
    product: windows
 detection:
    selection1:
+        EventType: SetValue 
        TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand
    selection2:
        EventType: SetValue